20
Simjacker
Technical Report ©2019 AdaptiveMobile Security
5 Attack Format and Evolution We have observed the Attacker Entity use multiple different methods to avoid detection over the entire period that we have been aware of it. Below is a sample of some of these techniques. The extensive range of these techniques illustrates how complex the attackers are and their range of abilities.
5.1
Avoidance techniques 5.1.1
Alternative Input Routes The primary method for injection of the Simjacker Location
attacks is via Handset, that is messages were submitted to the mobile network via SMS-SUBMIT/MO-FSM packets. However different methods are possible and were occasionally observed in the wild, as follows
•
A2P Sources We detected SMS Simjacker Attacks being sent via VASP Shortcodes, which directly submitted these messages to the targeted Operators SMSC. This was done in order to avoid filtering setups which may assume that messages from VASP sources are safe/trusted.
•
SS7 Sources We detected SMS Simjacker Attacks being sent from external SS SCCP Global Titles worldwide, being sent to the targeted subscribers currently serving MSC/VLR. This was done in order to exploit any unfiltered ingress points into the operator mobile’s network.
5.1.2
Share with your friends: